Analysis Overview
SHA256
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30
Threat Level: Shows suspicious behavior
The file 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:20
Reported
2024-11-11 23:22
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotB5\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVE\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotB5\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
"C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotB5\devoptiec.exe
C:\UserDotB5\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | a1960fdd4376a2e987022ce4e03514f5 |
| SHA1 | 11d3688a4405a1c55fccfb8bc85d9fc8a98de6d7 |
| SHA256 | 32875b57abdbee32d60baedd12b14c37de2dd387d7ff6da6f5f6354d24cfd4bc |
| SHA512 | e50828a783dcffee3395eb8576ad89b740b877b37aa2048f1b45a63a410c9f3bb30904a41b244fd6ccb7eb63dc9f4f3a350bfa2fd66a5f46203befb3d08c07eb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0a16fe3fd13ecc4437b5dede3797d8c3 |
| SHA1 | a5df731f1c9b4a2e7f4e9636f0a9134da72558bd |
| SHA256 | 38625305bfd15ed5fd09bf4eeebe2b9a0a69e45d8e4d7521c0cc0164f6097da6 |
| SHA512 | 064068961fae587f81e845d1a15386c857d959db2dfbed793907cbe70a2aa12bf18a8ac3094e085d1934d572d23951733bc3338fda25a19ae8903c050f9cd3b1 |
C:\UserDotB5\devoptiec.exe
| MD5 | e9ddcc5813df69dc264ab62e57d4f936 |
| SHA1 | d33b8e7b66b8ba7503a44d082326767c2c9db6ba |
| SHA256 | cba2d92cb466f7ae664d4cc0c83fae01779bf07cefc28cc57a7d0c499bdbcf2c |
| SHA512 | cd4941b5c7235acb3c53723fd086f6282f87c87f18197a13354bc03f98301a790b443c4339bbe84d511d7b1dd4de0a0722495d26b369671c80d2eafd8a9507c4 |
C:\VidVE\optiaec.exe
| MD5 | 0f1dd959d43971bf7f79671305e25a3e |
| SHA1 | 6d8e0a16be92cc3f8829972a8f7c88ea3b37ed55 |
| SHA256 | e2062ac20c5890c0dbf890e43b316cea0da64e2c7e801a4c803faf7642f715ca |
| SHA512 | 04077a2a74d996c32ac387c8b5e877f1dbc8c0222ec32d484cee13b8913e5651839cc5c68091c96037c6a765cc4488e9bf08f5316ab9256cdbcb3fa5c7307623 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6ca787a7ee591d2be6dbe58943d44417 |
| SHA1 | 43c59cbcc70ceb6daaec5e5f13e55d3ecace438d |
| SHA256 | 09060d3d355d3c7e1d1c990c1ddc9f9ec41ecc8d13134fe79dc9f912d7513577 |
| SHA512 | 953c5209a46386f54e0e46071449c009449aa4e297819f239546a93ed40d356809244884251bba55b1b92965de256835e5eebb9e772946eea8f5bfe8760d68ef |
C:\VidVE\optiaec.exe
| MD5 | bceeb783568178019cfa9ce19da30a69 |
| SHA1 | 3918c6d01f7a27b2a71133015ea935c5555085ff |
| SHA256 | 41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd |
| SHA512 | 7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:20
Reported
2024-11-11 23:22
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvWI\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWI\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOQ\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvWI\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
"C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\SysDrvWI\adobsys.exe
C:\SysDrvWI\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | e540afa7cc19bde7178c682401d9f620 |
| SHA1 | 2dab0adb05fad7fe460f555a8d16ffc84d270f25 |
| SHA256 | 3b16bb278dfa40a0f8d9fe484ab3234a53338b57ad988364f75bd0929d99b8c5 |
| SHA512 | 40ee8d257fd3113c76021dfa2d5b98559a2acf7ddeaed6bf5dd5f188b25b445fb080727da466d8931d32f6020e0d357b7a903163fe3e9be7380c505f8d1dc0fb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dfbde180a5d6517e769767920a9f3284 |
| SHA1 | 8531993eafbc87679f9abd94b3cd5df6cd48d981 |
| SHA256 | 6c22100f33a7be204f617c31154258390693eee89167959e29864e52edde919b |
| SHA512 | 7359cf2d21524a75cea0b7d049b51a48ad53a3929d84da7fab3879421790e19e74ba3b8d477ca1cabc2ba30ca6f82ece4ec42087b418827eafd2b52e2260b607 |
C:\SysDrvWI\adobsys.exe
| MD5 | d63a823168f9fe823402bd544db3a7f6 |
| SHA1 | 9b86fd4b090688f3b8b7895822bd94c632f0e8aa |
| SHA256 | 5b94b32986d895fee06fe460ef15f27348b8205ec548909189edac07a17aaf25 |
| SHA512 | d08c95656226b1e7f4a7223d1ff91590ada4ce93f2c5e079df57cbf86616eb2c4c639f700f66618178363b89a88561ce648303b8237270ca8e7f8cb54b6cdcc8 |
C:\SysDrvWI\adobsys.exe
| MD5 | ef6e98d76b01749350af1376877a94a2 |
| SHA1 | 9a9d371b9ed3cd96d5a3cb47379de4d91d417823 |
| SHA256 | 882003ec8f5a850819ddbe3fe948cfc2cc067964c9bf32ab4bd6390b3e4af92a |
| SHA512 | ab208206dd275e4659b2ae2a86d6f5bc79eab71c72aedb36a4291416f8441af56d4c0f1195e430d42bef391971898c1c5f016ec970f5e355eb882e74a476f560 |
C:\KaVBOQ\optixloc.exe
| MD5 | 1158f86a0845ee6fe9ce7b682fd51439 |
| SHA1 | caf9890ab05a6eef87827bb3ab60eaee3b254faa |
| SHA256 | 3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1 |
| SHA512 | 3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 929f1a4b37b34dcdafbb732a0e857a44 |
| SHA1 | 53d519757f3e6818613d76fc5262e86a1c997734 |
| SHA256 | 680cd41a178fce11fc946e39eca1f647fd7f16441a8f35f83c884727d89f9f70 |
| SHA512 | c40cc7db176ff01d8311de7c5d77fdd21ed60150c37e2cd1d0314087cff7eeefce375f03d1ef82857e2212dc8d525bb853c1fe701de0365be548db869bfd79b5 |
C:\KaVBOQ\optixloc.exe
| MD5 | c9ac313e906df1f057c5759320a5feac |
| SHA1 | 6f1bb04a2bcf2f67632823911043d6c3db80de2d |
| SHA256 | b4130f462775ca1786a87d2bb2551bf5c3bf0341a658a98b47a682ef5199fd0d |
| SHA512 | b782353e01cee193e32a075797ffcb25fa8a4a8ad8d857f1247560d850f7c2cb77598ea4b65d72ddbf45b7566c0efb59196b26ad8e6d13cac41f806deb708bde |